Growing an IAM Team
IAM OnlineWednesday, February 10, 2021
Presenters:
Christopher Bongaarts, University of MinnesotaKT Cragg, University of MinnesotaBernard Gulachek, University of MinnesotaKevin Morooney, Internet2, Moderator
1
Growing an IAM Team
KT Cragg - Christopher Bongaarts - Bernard Gulachek
University of MinnesotaOffice of Information TechnologyIdentity and Access Management
February 10, 2021
2
Overview
3
Origination
4
Origination - 1992● Trigger - need for consolidated student/staff data; mainframe not
agile enough to supply● Grew out of central (academic) computing group in early 90's● Supported central campus-wide email project (1992) and ID card
(1993)○ LDAP to support email address lookup○ ID Card needed unification of staff and student data
● ~4-8 people with a hand in it, mostly sysadmins○ "Identity" functions one of many services
● Survived as a unit until manager (Frank Grewe) passed away suddenly in 2004
5
Fission
6
Fission - 2008● Trigger - without Frank, group lacked strong leader to protect us● Hung on for a few years, but were eventually split up in 2008
○ Identity group got 2 of the 8 people, hired a third in 2009● Despite onboarding struggles, stood up Shib and Grouper
services● Culture clash with new manager
○ Developers vs Sysadmins○ Cowboys vs process
7
Expansion
8
Expansion - 2012● Trigger - OIM, Peoplesoft upgrade (ESUP) projects and new focus on
IDM● Matrix model ("plaid management")
○ 1 service owner, 2 devs/pseudo-BAs● OIM project started 2009
○ ESUP, consultant debacle delayed real start to 2016● Got our first "real" business analyst in 2014
○ First attempts at agile (simplified Scrum)● 2 ESUP developers folded into IAM team in 2014● Applications Development organizational woes
○ IDM grew to 8 people managed by 7 managers○ Between 2012 and 2018 I had 10 different managers.
9
Consolidation
10
Consolidation - 2018● Trigger - communications/consistency issues from multiple managers● Consolidated all IDM staff under one line manager
○ consistent leadership, messaging, direction○ Change agent - took ownership, was able to push process change
● Security event - nice crisis to leverage change, add additional BA/PM● Governance with BPOs
○ Less reliance on developers to guess the Right Thing to Do● Kanban - legacy identity system project, first big all team effort● Scrum - full Agile implementation - Service owner also as product
owner
11
Fission, Again
12
Fission, Again - 2020
● Trigger- hiring more people till single agile team was Too Big● Split into two teams
○ Identity Management - OIM (person registry)○ Access Management - Shib, Grouper, LDAP, RADIUS, etc.
● Back to Forming stage in Tuckman's model (more later)
13
A place of our own
14
A place of our own - Fall 2020● Trigger - higher management support, AppDev Sr. Director
retirement● New IAM directorate separate from Applications Development● Adopting Scaled Agile Framework (SAFe) ● Transition into staffing pros:
○ Dedicated communications/change manager, dedicated QA analyst○ Diverse skill set and demographics
● Added AD team under IAM○ possible now due to IAM directorate and successful agile implementation
15
Workflow Changes
16
Workflow changes● What works for three people and what works for 5, 10, 15, doesn’t
scale○ “Just ask Kevin and he will do it"○ Get lots done quickly, but no background documentation to reference later
● Oral tradition to Agile to get work done transparently ○ Got us out of operational response mode○ Started setting priorities over a period of time (roadmapping). ○ From every two weeks to quarterly○ Balance ops work with project work
17
An Agile Approach
18
What is Agile?
● In product development, agile practices approach discovering requirements and developing solutions through the collaborative effort of self-organizing and cross-functional teams and their customer/end user.
● Leveraging Agile values ■ Individuals and Interactions over Processes and Tools■ Working Systems, over documentation■ Customer coordination, vs contract negotiation■ Responding to Change, over following a plan
19
Agile - Our Kanban Journey
● Kanban - a quick approach for coordinating work○ Kanban: is a lean method to manage and improve work
across human systems. This approach aims to manage work by balancing demands with available capacity, and by improving the handling of system-level bottlenecks.
○ Work in/Work out
20
Agile - Our Scrum Journey ● Scrum: is an agile framework for developing, delivering, and
sustaining complex products, with an initial emphasis on software development, although it has been used in other fields including research, sales, marketing and advanced technologies.
● Scrum Events - Daily Stand up, Demo, Retrospective and Iteration Planning○ Roles: Product Owner, Scrum Master, Product Team○ Jira as source of truth for all non-ops work
21
Tuckman’s Model for Team Development
22
Team Formation - Tools and Techniques● SWOT analysis - strengths, weaknesses, opportunities and
threats● Affinity Mapping - id-ing priorities and timing● Two Day Team Building Working Sessions
○ Included stakeholders, scrum masters, product owners and development team members
○ Why are we doing this?○ What do we need from each other to be successful?○ Creation of Team Charter - our purpose
23
Team Formation - Tools and Techniques
Values AntiValues
Curious to learn new things Spin and starting things we never finish
Diverse knowledge and expertise Single points of failure and complex knowledge shares
Customer focus and network beyond AppDev Don’t say no, technical debt, too much networking
Teamwork and collaboration Too many cooks, consensus building and group think
Transparency Security and time required
Dedication Burnout
Integrity Boil the ocean and lack of compromise
24
Team Formation - Tools and TechniquesWorking Agreements:1. Being physically present (zoom counts) at meetings is a priority
a. If you can’t make it to daily scrum, send your update to the IDM Team hipchat room prior to 9:45 the morning of.
2. Update the Jira board in real time3. Make sure your team & calendar is up to date with upcoming vacations and days off
(especially over the summer months) prior to sprint planning for capacity planning. 4. Don’t jump right into solutions5. Just because you can, doesn’t mean you should - consult with team first6. Prioritize documentation more 7. Don’t bring everyone to every meeting, but recap priorities/decisions with team via
email or slack.
25
SAFe - How we organize todayThe Scaled Agile Framework is a set of organization and workflow patterns intended to guide enterprises in scaling lean and agile practices. Involves coordinating work on a quarterly basis across IT teams.
● Benefits○ Common vocabulary for discussing team formation stages/challenges○ Work transparency and cross functional teams○ Leadership involvement and support○ Smooth transition to Covid 19 work from home life
● Challenges○ Change is hard○ DevOps team that does more than develop, code, test, release = doesn’t fit traditional
Scrum team model, we still have specialists○ Might be more structure than we may end up needing
26
IAM Team Make Up - Leadership/Team Leads/Architects
Business Owner/Senior DirectorSenior Product Manager/Service OwnerRelease Train Engineer/CommunicatorSenior ManagerSystem ArchitectsSecurity AnalystTier 3 Support
27
IAM Team Make Up - Team LevelAccess Team6 applications
● Product Owner● Full Stack
Developers, 2● Infrastructure
Ops● Developer● Business
Systems Analyst
Identity Team2 applications
● Product Owner● Business
Analyst/Scrum Master
● Developer, 2● Quality Assurance
Analyst● Infrastructure Ops
Active Directory 1 application
● Product Owner (shared with Access)
● Developer, 2
28
IAM Secure Programz.umn.edu/iamsecure
29
Governance Structure - the Lifecycle Committee
TechnologyBusiness
Process/Policy
Technology/Staffing
Business Process/Policy
Senior Leadership
Middle-Management
Executive Leadership
Identity Management Service Program Team
Identity and Access Management Lifecycle Committee
Identity and Access Management Executive Oversight Committee
Identity and Access Management Leadership Steering Team*
30
Access Management
Identity Management: Account Lifecycle Transformation
IAM Program: High-Level Timeline FY 2020 FY 2021 FY 2022 FY 2023 FY 2024
Group Based Access Controls
Access Deprovisioning
Align Identity Technologies
New and Improved Identity StoreModernize Account Types
Cloud Access Management
31
SAFe - Impacts to UMN business ○ Increased Productivity
■ New users can lose productivity and time as they wait for accounts to be created. Delays in the ability to access resources often result when manual, workflows, and approvals cannot be streamlined.
○ Enhanced Security■ The inability to streamline the deprovisioning of users or manage user
access privileges to applications and resources exposes the University to the risk of unauthorized access and audit compliance issues.
○ Improved Sharing Ability for Information Across Applications■ Applications are unable to share information that should be shared, such as
contact information, files, and common data for calendars and other frequently-used functions.
32
SAFe Implementation - a CIO’s perspective
33
Questions?
34